How it Works
HID
Loading...
VMware View and 4TRESS AS
User Manual
14 pgs638.57 Kb1

HID VMware View and 4TRESS AS User Manual

Download
Page 1
ActivIdentity® 4TRESS™
Authentication Server FT2011
and VMWARE® View 5.1
Radius Channel Integration Handbook
Document Version 1.0 | Released | August 11, 2012
Page 2
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 2
External Use | August 8, 2012 | © 2012 ActivIdentity
Table of Contents
Table of Contents ....................................................................................................................................................... 2
1.0 Introduction ....................................................................................................................................................... 3
1.1 Scope of Document .................................................................................................................................... 3
1.2 Prerequisites .............................................................................................................................................. 3
2.0 VMWARE View configuration ........................................................................................................................... 4
2.1 Procedure 1 : Create New Radius Server Instance ................................................................................... 4
2.2 Procedure 2 : Additional Configuration Options ......................................................................................... 6
3.0 ActivIdentity 4TRESS AS Configuration: Sequence of Procedures ................................................................. 7
3.1 Procedure 1 : Configure RADIUS Channel ................................................................................................ 7
3.2 Procedure 2 : Managing User Repositories: An Overview ....................................................................... 10
3.2.1 Create User Repository ................................................................................................................... 10
3.3 Procedure 3 : Configure Administration Groups, User Types, User Repositories, ................................. 12
4.0 Sample Authentication .................................................................................................................................... 13
Page 3
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 3
External Use | August 8, 2012 | © 2012 ActivIdentity
1.0 Introduction
VMware View is a desktop virtualization solution that simplifies IT manageability and control while delivering the highest fidelity end-user experience across devices and networks. By encapsulating the operating systems, applications, and user data into isolated layers, IT organizations can deliver a modern desktop.
WMWARE has extended View to support RADIUS authentication as an option in the latest View release.
ActivIdentity offers two solutions: ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated
with a mobile workforce remotely accessing systems and data.
ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication
methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up ActivIdentity 4TRESS AS FT2011 radius authentication with VMWARE View.
Use this handbook to enable authentication via an ActivIdentity token (Hard token, soft token, SMS token) for use with a VMWARE View connection.
1.2 Prerequisites
ActivIdentity 4TRESS Authentication Server FT2011.  VMware View 5.1 or higher, fully functioning using standard authentication, then start the Radius
integration configuration.
Page 4
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 4
External Use | August 8, 2012 | © 2012 ActivIdentity
2.0 VMWARE View configuration
This chapter describes how to manage VMWARE View in radius context. When a user signs into the VMWARE
View client, the VMWARE View server forwards the user’s credentials to this authentication server to verify the
user’s identity. You will create one authentication server (an ActivIdentity 4TRESS AS FT2011 RADIUS Server) to validate the user’s one-time password generated by an ActivIdentity token.
2.1 Procedure 1 : Create New Radius Server Instance
1. On the VMware View Administrator (from a Web browser, access View Administrator on the Connection Server using https://hostname/admin and log in) select View Configuration, then
Servers, select the Connection Servers tab and then Edit to bring up the Edit View Connection Server Settings and select the Authentication tab.
2. Under Advanced Authentication choose, for 2-factor authentication, the RADIUS tab.
Page 5
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 5
External Use | August 8, 2012 | © 2012 ActivIdentity
3. Under Select Authenticator select Create new Authentication, this opens the Add RADIUS Authenticator screen, this allows a Primary and Secondary RADIUS authentication servers to be configured, enter the following:
Label: A label shown to clients
4. Under Primary Authentication Server section :
Hostname/Address: IP address of the 4TRESS AS  Authentication Type: select RADIUS authentication type, use PAP for initial setup.  Shared secret: The shared secret, the same as entered on the 4TRESS AS server
Page 6
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 6
External Use | August 8, 2012 | © 2012 ActivIdentity
5. Complete the configuration for the RADIUS server and select Next
6. If there is a secondary RADIUS server then complete the settings for the secondary server and select
Finish.
2.2 Procedure 2 : Additional Configuration Options
1. After authenticating to RADIUS, you may get another prompt if the RADIUS server responded with a supported Access Challenge. Full generic RADIUS challenge/response is not supported, but a limited access challenge for a string token code is supported (for SMS authentication for example).
For details on how authenticating with an Out-Of-Band SMS works, please refer to ActivIdentity 4TRESS FT2011 documentation.
2. In the admin configuration of RADIUS authentication under Advanced Authentication, if Enforce 2­factor and Windows user name matching is ticked then the Windows login prompt after RADIUS
authentication will force the username to be the same as the RADIUS username and the user will not be able to modify this.
Page 7
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 7
External Use | August 8, 2012 | © 2012 ActivIdentity
3.0 ActivIdentity 4TRESS AS Configuration: Sequence of Procedures
This chapter describes the procedures required to configure ActivIdentity 4TRESS Authentication Appliance support for an RFE component installed on an appliance.
You will perform these steps using the ActivIdentity 4TRESS Management Console. Be sure you have the ActivIdentity 4TRESS Authentication Appliance Administration Guide: Management Console technical publication on hand. This chapter does not provide all the details.
3.1 Procedure 1 : Configure RADIUS Channel
A RADIUS channel for the RFE deployment defines a group of access controllers and specifies how to handle authentication requests.
Using a policy configured for the channel, you will filter the requests according to the IP address or hostname of the access controllers.
1. Launch the ActivIdentity 4TRESS Management Console.
2. When prompted, enter your User name and Password, and then click Submit.
Page 8
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 8
External Use | August 8, 2012 | © 2012 ActivIdentity
Important: To configure the RADIUS channel policy, you can either create a new channel using the Add or Copy options, or edit an existing channel by clicking the channel name in the list displayed to
the right of the page. ActivIdentity recommends that you use the Remote Access channelthis is the pre-defined RADIUS channel.
3. Select the Configuration tab, and then in the pane to the left under Policies, click Channels.
4. In the list displayed to the right when you click Channels, click the VPN Remote Access channel.
Page 9
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 9
External Use | August 8, 2012 | © 2012 ActivIdentity
Important: You can select either a host nameand then enter name of the machine hosting the access controlleror you can enter an IP address, and then enter an address and range of the access controller. ActivIdentity recommends that you use an IP address rather than a host name. If the DNS cannot translate the host name, then the RFE will not restart.
Important: Make sure that each access controller is configured with the shared secret you specified above. If necessary, repeat the steps to authorize access for additional controllers.
5. In the VPN Remote Access Details section displayed, accept the default for Description, or change it. Make sure the Name, Type, and Code are correct.
6. Click Channel Policy to expand the section and display the configuration options.
7. Enter and confirm the Shared secret. The Shared secret encrypts the information exchanges between the appliance(s) and the access controllers. The secret must be the same for each controller configured in the channel policy. The secret must not exceed
40 characters. By default, the secret for a pre-defined gate is ActivIdentity.
8. Click Add. The Add Authorized IP addresses or host names list is displayed. Use these settings to configure the
access controllers that are authorized to use the gate for authentication.
9. For an IP address, enter the valid network range (for example, 192.168.0.0/24).
10. Click Save. The access controller is displayed in the Channel page. Now, it is authorized to use the gate for
authentication requests.
Page 10
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 10
External Use | August 8, 2012 | © 2012 ActivIdentity
Reminder: Have the ActivIdentity 4TRESS Authentication Appliance Administration Guide: Management Console technical documentation on hand. This document only presents summary
steps.
3.2 Procedure 2 : Managing User Repositories: An Overview
The “User Repositories function of the ActivIdentity 4TRESS Management Console defines parameters for using LDAP servers as the source of user data for the appliance system. By configuring the appliance to communicate with your LDAP directory server, you enable access to user data for authentication purposes.
3.2.1 Create User Repository
1. Logged into the ActivIdentity 4TRESS Management Console, select the Configuration tab.
2. In the pane to the left, under Environment, click User Repositories.
3. In the page displayed to the right, click Add.
Page 11
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 11
External Use | August 8, 2012 | © 2012 ActivIdentity
4. NameEnter a meaningful name.
5. AdapterSelect the adapter from the drop-down list that corresponds to your directory type (either Novell® eDirectory or Microsoft® Active Directory).
6. HostEnter the IP address or hostname of the server where your LDAP directory resides.
7. Port—Enter the Port (the LDAP directory server’s listening port).
8. In the Configure connection login credentials section of the page, enter the user credentials that the appliance will use to access the LDAP database. Then enter and confirm the user’s Password. You MUST indicate the full User DN.
Page 12
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 12
External Use | August 8, 2012 | © 2012 ActivIdentity
9. Expand the Attributes section.
10. Select the Enabled options for the appliance attributes to be mapped to the LDAP attributes.
11. Click Save. A success message appears.
3.3 Procedure 3 : Configure Administration Groups, User Types, User Repositories, and
Authentication Policies
For details, refer to the ActivIdentity 4TRESS Authentication Appliance Administration Guide: Management Console technical documentation. This section summarizes the remaining procedures to perform before Web soft
tokens can be activated.
1. Use the ActivIdentity 4TRESS Management Console to create and update administration groups within user types. Then you can add users to the administration groups.
User types define categories of users. A hierarchy of administration groups exists for each user type. For each user type, you can define:
User repositories relating to the user type,  Authentication policies accessible to users of this type, and
User attributes for users of this type.
There are default user types. Installing the ActivIdentity 4TRESS Appliance Server automatically sets up a number of user types. For each user type, there are pre-defined system users. Collectively, these sample users have all the required privileges to administer the system. You can use the base data set as provided, or modify it to meet your specific requirements.
1. Map the user repository to a user type.
2. Assign an authentication policy to a user type.
3. Map the user repository to an administration group. Administration groups provide a way to organize (partition) users for administrative purposes, as well as a
way to assign permissions to users through membership of administration groups.
Page 13
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 13
External Use | August 8, 2012 | © 2012 ActivIdentity
4.0 Sample Authentication
The VMware View client will display fields for Username and Password. The username should be entered followed by the One Time Password in the Passcode field.
If the OTP is correct the user will be prompted for his AD Password:
Page 14
ActivIdentity 4TRESS Authentication Server (FT2011) and VMWARE View 5.1 | Integration Handbook
P 14
External Use | August 8, 2012 | © 2012 ActivIdentity
Americas +1 510.574.0100 US Federal +1 571.522.1000 Europe +33 (0) 1.42.04.84.00 Asia Pacific +61 (0) 2.6208.4888 Email info@actividentity.com Web www.actividentity.com
Legal Disclaimer
ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced herein are either registered trademarks or trademarks of HID Global Corporation in the United States and/or other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the trademark or other intellectual property rights concerning that name or logo. VMWARE and the VMWARE logo are registered trademarks of VMWARE, Inc. in the United States and other countries.The names of other third-party companies, trademarks, trade names, service marks, images and/or products that happened to be mentioned herein are trademarks of their respective owners. Any rights not expressly granted herein are reserved.
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use